logging-log4j1 icon indicating copy to clipboard operation
logging-log4j1 copied to clipboard
verified publisher icon apache

vulnerability for Version 1.x. CVE-2021-4104

Open zg2pro opened this issue 4 years ago • 2 comments

Hi,

Further this vulnerability discovered in v1.x, can we possibly release log4j without the JMSAppender. Here are recommendations provided on Slf4's website: http://slf4j.org/log4shell.html See section on log4j 1.x:

In the absence of a new log4j 1.x release, you can remove JMSAppender from the log4j-1.2.17.jar artifact yourself. Here is the command:

   zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class

As tampering with the contents of public libs is not handy, this release would help.

I'm calling to contributors, @tallpsmith @scottdeboy @YoavShapira @grobmeier @garydgregory @pfumagalli I hope one of you is still active

Best regards, Gregory

zg2pro avatar Dec 17 '21 11:12 zg2pro

Hey, @zg2pro, you're not the only one with this suggestion! A few of us have been discussing what to do already. I just opened PR #16 with how far we got so far.

At Apache most communication happens on mailing lists. Could you join us there? See https://logging.apache.org/log4j/2.x/mail-lists.html for more information.

lsimons avatar Dec 17 '21 13:12 lsimons

This PR should be closed.

See https://github.com/apache/logging-log4j1/blob/main/README.md for rationale.

See

  • https://reload4j.qos.ch/
  • https://github.com/qos-ch/reload4j

for a maintained/released fork with security fixes.

lsimons avatar Jan 20 '22 13:01 lsimons